ryan.mcgee/logseq-notes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
33ccffdc971c0ab7c2c0689110b62404151cd075
logseq-notes/pages/SY0-701 - CompTIA Security+%3A Security Goals & Controls.md
T

13 KiB
Raw Blame History

The CIA Triad

collapsed:: true - ## Confidentiality - Measures an attacker's ability to get unauthorized access to data or information from an application or system - It involves using techniques, often cryptography, to allow only approved subjects with the ability to view the information - Confidentiality includes preserving authorized restrictions on information access disclosure - It is a means for protecting personal privacy and proprietary information - Confidential information can include - Passwords - Cryptographic keys - Personally Identifiable Information (PII) - Personal Health Information (PHI) - Intellectual Property (IP) - other sensitive information - Examples of Confidentiality - Using and IPsec Virtual Private Network (VPN) - Leveraging mutual Transport Layer Security (TLS) between a web browser and web server or controller - Storing sensitive data or credentials in a mobile device partition or secure enclave - Implementing AES encryption on data at rest in storage (file, block, object, databases, etc.) - ## Integrity - Integrity involves safeguarding against improper information modification or destruction - It is a property that data or information have not been altered or damaged in an unauthorized way - Integrity is the quality of and IT system that reflects: - The logical correctness and reliability of the operating system - The logical completeness of the hardware and software that implements the protection mechanisms - The consistency of the data structures and occurrence of the stored data - Examples of Integrity - An operating system performs a mathematical checksum when a file is moved or copied from one volume to another - A frame check sequence conducted on an Ethernet frame when sent from one MAC address to another - A hashed message authentication code applied to advertisements sent between neighbor systems such as routers or gateways - Implementing a mandatory access model technique such as Biba or Clark-Wilson - ## Availability - Availability is the process of ensuring timely and reliable access to and use of information - It is a property of data, information, applications, systems, or services that are accessible and usable upon demand by an authorized subject - "High Availability" is a failover feature to ensure availability during device or component interruptions, both planned and unplanned - Examples of Availability - Implementing security controls that protect systems and services from spoofing, flooding, denial-of-service (DDoS), poisoning, and other attacks that negatively affect the ability to deliver data, content, or services - Vulnerabilities that impact availability can affect hardware, software, and network resources, such as flooding network bandwidth, consuming large amounts of memory, CPU cycles, or unnecessary power consumption. - Assuring that technical controls such as firewalls, IPS sensors, anti-virus, and endpoint protection are always reliable and deployed in a failover group or cluster - Determining the best disaster recovery site solution for every scenario or situation for an organization

  • Non-Repudiation

    collapsed:: true
    • Enforcing the inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email
    • Non-Repudiation is the property of agreeing to adhere to an obligation
      • More specifically, it is the inability to refute resposibility
    • For Example, if you take a pen and sign a legal document, your signature is a non-repudiation device
    • In IT, non-repudiation is usually accomplished with a public/private key pair cryptosystem and digitally signed certificates between the sending and receiving parties

  • Authentication, Authorization, and Accounting (AAA)

    collapsed:: true

    • Authentication

      • The process of validating that an entity (user, application, or system) is who or what they claim to be

    • Authorization

      • The process of granting an authenticated entity permission to access a resource or perform a specific function

    • Accounting

      • basically, when did the entity begin, when did it end, and how long did they do it?

    • Character Mode vs. Packet Mode

      • Character mode sends keystrokes and command (characters) to a network admission device for the purpose of configuration or administration on that same device
      • Packet (or network) mode occurs when the network admission device serves as and authentication proxy on behalf of services in other networks such as web, FTP, DNS, etc.

    • Authentication

      • Authentication subjects is technically mandatory, even if using open or anonymous techniques
      • Historically, clients would initiate a TCP three-way communication handshake before the authentication process
      • This is now considered sub-optimal and a violation of "zero-trust" principles

    • Authorization

      • Authorization is technically optional for authenticated entities and is mandatory from a practical policy standpoint
      • In modern security deployments, it is desirable to implement session-based (tokens) and attribute-based authorization mechanisms

    • Accounting

      • Accounting is generally implemented for two use cases:
        • Monitoring, visibility, and reporting
        • Billing, chargeback, and reporting
      • RADIUS is one of the most popular IETF-based AAA services, and is known for exceptional accounting capabilities
      • DIAMETER is the next generation of RADIUS

  • Authenticating People

    collapsed:: true
    • Authenticating a person entity means confirming that they are who they claim to be
    • This confirms only those with authorized credentials gain access to secure systems
    • Usernames/webmail/email and a password is still the most common factor for authenticating people
    • There should always be another robust factor added to a simple credential today
    • Common ways to authenticate people
      • A password, PIN, or passphrase they know
      • A smart card token or fob that they possess
      • A digital certificate they present
      • A biometric attribute
      • A QR or other code that they present on a device

  • Authenticating Systems

    collapsed:: true
    • There are many different types of entities or principals that can be authenticated other than people
    • These subjects are often called "non-person entities" (NPEs)
      • Laptops and pads
      • Mobile devices
      • Gateways and load balancers
      • Robotics systems
      • Embedded devices
      • Internet of Things (IoT) endpoints

    • Endpoint Authentication

      • Endpoint (or device) authentication is a security technique designed to ensure that only authorized devices can connect to a given network, site, or service
      • Endpoint security management is rapidly emerging as an important area in machine-to-machine (M2M) communications and the Internet of Things (IoT)
      • Endpoint fingerprinting is one way to enable authentication of non-traditional network endpoints such as smart card readers, HVAC systems, medical equipment, and IP-enabled door locks

    • Common Device (Endpoint) Authentication Methods

      • A shared secret key stored on endpoints (wireless) or infrastructure devices
      • An X.509 v3 device certificate stored in a software application
      • A cryptographic key, certificate, or other credential stored at the hardware level in a trusted platform module
      • A key stored in a hardware security modules (HSM)
      • A protected access file (PAC) in Cisco infrastructure

  • Authorization Models

    collapsed:: true

    • DAC

      • Discretionary Access Control (DAC): grants access control decisions to the resource owners and custodians
      • Each resource typically has an owner who determines the access permissions and shares
      • The owner can grant or revoke access rights for other users or groups
      • DAC offers flexibility and allows resource owners to have fine-grained control over access, but it can also result in inconsistent access control decisions
      • It is the most prone to "privilege creep"

    • RBAC

      • Role-Based Access Control (RBAC) grants access based on predefined roles or job titles
      • Users are assigned roles, and access rights are associated with these roles
      • Instead of directly assigning permissions to individual users, permissions are assigned to roles, and users inherit the access rights associated with their assigned roles, for example:
        • Various roles in a hospital or medical center
        • Built-in roles in a database management system
      • RBAC streamlines access control administration by grouping users with similar job functions and offering a scalable approach to access management

    • MAC

      • A Mandatory Access Control (MAC) a strict mathematical model where access to resources is determined by the system based on predefined security labels and rules
      • Principals are assigned security clearances or classification levels (top secret, secret, confidential, etc.)
      • Resource objects are labeled with sensitvity levels
      • Access is granted or denied by comparing these labels and rules, ensuring strict control and preventing unauthorized access
      • This is a "non-discretionary" model

    • ABAC

      • Attribute-based Access Control (ABAC) grants access based on a combination of characteristics associated with users, resources, and environmental conditions
      • Attributes can include user attributes (e.g. job title, department), resource attributes (e.g. sensitivity level, classification), and environmental attributes (e.g. time of access, location)
      • Authorization policies are defined using these combinations, and decisions are made based on evaluating the attributes against the defined policies

    • ABDAC

      • Attribute-based Dynamic Access Control (ABDAC) combines the principles of Attribute-based access control (ABAC) with dynamic access control (DAC)
      • It considers dynamic factors such as risk assessment, user attributes, resource attributes, and contextual information to make access control decisions in real time
      • ABDAC provides more fine-grained and context-aware access control needed in "zero-trust" environments when compared to traditional static access control models

    • Rule-based

      • Rule-based access control (RBAC): RBAC uses rules to determine access
      • Access control rules define conditions or criteria that must be met for access to be granted
      • These rules can be based on several factors, such as user attributes, resource attributes, time of access, and more
      • Access decisions are made by comparing these rules against the context of the access request - usually IP transport and network layer header metadata

  • Control Categories

    collapsed:: true
    • Technical, Managerial, Operational, and Physical

    • Technical Controls

      • Technical controls are security mechanisms that the specific systems run - either manually or, more often, automated and orchestrated
      • These control deliver confidentiality, integrity, authenticity, and availability protections
      • They defend against unauthorized access or misuse
      • They also facilitate the detection of security violations and support security requirements for applications and data

      • Common Technical Controls

        • Infrastructure security and device hardening
        • Identity and access (IAM) management engines
        • Cryptographic key management and HSMs
        • Cloud-based threat modeling tools
        • SIEM and SOAR systems

    • Managerial Controls

      • Managerial (also administrative) control define policies, procedures, best practices, and guidelines
      • They are usually more logical in nature
      • Should be a published or printed definition of poicies
        • No piggybacking (tailgating)
        • Acceptable Use Policies
        • Best practices guidelines
        • Password policies
        • Screening, hiring, and termination procedures
        • Mandatory vacations
        • Training and awareness

    • Operation Controls

      • Operational controls support ongoing maintenance, due care, and continual improvement
        • Optimizing the change and configuration management database
        • Performing tested patch management
        • Conducting awareness and training
        • Monitoring physical and environmental controls
        • Incident response and disaster planning testing and drills
        • Performing software assurance initiatives
        • Ongoing mobile device and mobile application management

    • Physical Controls

      • Physical controls are introduces to protect the campus, facility, environment, and people
        • Various physical barriers
        • Guards and security teams
        • Cameras and surveillance equipment
        • Different types of sensors and alarms
        • Locking mechanisms
        • Secure safes, cabinets, cages, and areas
        • Mantraps and Faraday cages
        • Fire detection and suppression systems
        • Environmental Controls

  • Control Types

    collapsed:: true
    • Preventative, Deterrent, Detective, Corrective, Compensating, Directive
    • | Preventative | Deterrent | Detective | Corrective | Compensating | Directive| | Stops and attacker from successfully conducting and exploit or advanced threat | Discourages and attacker from initiating or continuing an attack | Identifies and attack that is occurring as well as the steps of the kill chain | Restores a system to a state before the negative event occurred; can simply rectify or correct an identified problem | Aids controls that are already in place or provides a temporary stopgap solution | Mandatory policies and regulations that are in place to maintain consistency and compliance |
Reference in New Issue View Git Blame Copy Permalink